You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We kindly ask you to include the following information in your report:
22
-
- Apache Superset version that you are using
23
-
- A sanitized copy of your `superset_config.py` file or any config overrides
24
-
- Detailed steps to reproduce the vulnerability
21
+
**Submission Standards & AI Policy**
22
+
23
+
To ensure engineering focus remains on verified risks and to manage high reporting volumes, all reports must meet the following criteria:
24
+
- Plain Text Format: In accordance with Apache guidelines, please provide all details in plain text within the email body. Avoid sending PDFs, Word documents, or password-protected archives.
25
+
- Mandatory AI Disclosure: If you utilized Large Language Models (LLMs) or AI tools to identify a flaw or assist in writing a report, you must disclose this in your submission so our triage team can contextualize the findings.
26
+
- Human-Verified PoC: All submissions must include a manual, step-by-step Proof of Concept (PoC) performed on a supported release. Raw AI outputs, hypothetical chat transcripts, or unverified scanner logs will be closed as Invalid.
27
+
28
+
We kindly ask you to include the following information in your report to assist our developers in triaging and remediating issues efficiently:
29
+
- Version/Commit: The specific version of Apache Superset or the Git commit hash you are using.
30
+
- Configuration: A sanitized copy of your `superset_config.py` file or any config overrides.
31
+
- Environment: Your deployment method (e.g., Docker Compose, Helm, or source) and relevant OS/Browser details.
32
+
- Impacted Component: Identification of the affected area (e.g., Python backend, React frontend, or a specific database connector).
33
+
- Expected vs. Actual Behavior: A clear description of the intended system behavior versus the observed vulnerability.
34
+
- Detailed Reproduction Steps: Clear, manual steps to reproduce the vulnerability.
35
+
36
+
**Out of Scope Vulnerabilities**
37
+
38
+
To prioritize engineering efforts on genuine architectural risks, the following scenarios are explicitly out of scope and will not be issued a CVE:
39
+
- Attacks requiring Admin privileges: (e.g., CSS injection, template manipulation, dashboard ownership overrides, or modifying global system settings). Per the CVE vulnerability definition in CNA Operational Rules 4.1, a qualifying vulnerability must allow violation of a security policy. The Admin role is a fully trusted operational boundary defined by Apache Superset's security policy; actions within this boundary do not violate that policy and are therefore considered intended capabilities 'by design,' not vulnerabilities.
40
+
- Brute Force and Rate Limiting: Reports targeting a lack of resource exhaustion protections, generic rate-limiting, or volumetric Denial of Service (DoS) attempts.
41
+
- Theoretical attack vectors: Issues without a demonstrable, reproducible exploit path.
42
+
- Non-Exploitable Findings: Missing security headers, generic banner disclosures, or descriptive error messages that do not lead to a direct, documented exploit.
43
+
44
+
**Outcome of Reports**
45
+
46
+
Reports that are deemed out-of-scope for a CVE but represent valid security best practices or hardening opportunities may be converted into public GitHub issues. This allows the community to contribute to the general hardening of the platform even when a specific vulnerability threshold is not met.
25
47
26
48
Note that Apache Superset is not responsible for any third-party dependencies that may
27
49
have security issues. Any vulnerabilities found in third-party dependencies should be
28
50
reported to the maintainers of those projects. Results from security scans of Apache
29
51
Superset dependencies found on its official Docker image can be remediated at release time
30
52
by extending the image itself.
31
53
54
+
**Vulnerability Aggregation & CVE Attribution**
55
+
56
+
In accordance with MITRE CNA Operational Rules (4.1.10, 4.1.11, and 4.2.13), Apache Superset issues CVEs based on the underlying architectural root cause rather than the number of affected endpoints or exploit payloads.
57
+
- Aggregation: If multiple exploit vectors stem from the same programmatic failure or shared vulnerable code, they must be aggregated into a single, comprehensive report.
58
+
- Independent Fixes: Separate CVEs will only be assigned if the vulnerabilities reside in decoupled architectural modules and can be fixed independently of one another.
59
+
Reports that fail to aggregate related findings will be merged during triage to ensure an accurate and defensible CVE record.
60
+
32
61
**Your responsible disclosure and collaboration are invaluable.**
0 commit comments